Cyrus Vance Jr., the New York County District Attorney for Manhattan, has added his voice to a growing litany of political complaint about the zero-knowledge encryption which Google and Apple provide via their mobile operating systems.
Addressing [PDF] the 6th Annual Financial Crimes and Cybersecurity Symposium yesterday, the DA discusses what he describes as ‘the “going dark” problem facing investigatory services whose subpoenas cannot be obeyed in the cases of companies which provide client-side encryption in devices, and which cannot themselves access their customers’ data. Vance said:
“As a prosecutor, I have no higher public policy priority than to persuade Congress to enact sensible statutes that will protect legitimate privacy concerns, while giving law enforcement the ability to access cellphones when necessary to prosecute serious crimes and fight terrorism. I understand that Apple and Google did not take their actions in a vacuum. The public is angry, and at times understandably angry, at some highly-publicized cases of overreaching in intelligence- gathering. I have no doubt that full-disk encryption is a strong branding and public-relations move for Apple and Google in the wake of Edward Snowden’s disclosures. But ultimately, the line between an individual’s right to privacy and the legitimate needs of law enforcement should not be decided by the marketing departments of smartphone companies. That line should be defined by legislatures and the courts.”
Vance Jr. goes on to explain carefully in his address that ‘lawful access to criminal evidence on smartphones’ is unrelated to the kind of mass-surveillance which he admits has rightly outraged the public in the wake of Edward Snowden’s revelations, and that the warrant requirement now being dodged by full-disk encryption goes back two centuries.
He also discusses a new report from his department, due for release today, which will, he says, provide a solution that is both technologically and politically workable. He cites the recent attacks in Paris as a spark for a new debate about whether zero-knowledge encryption can be permitted to continue. Referring to gestures of support for the victims of the attacks, by Uber and Facebook, Vance Jr. said “I hope the same spirit of public-mindedness will lead smartphone providers to negotiate a solution to this problem.” Discussing what his department is asking for, Vance said:
“Our solution requires no new technology or costly adjustments. In fact, our report makes clear what kind of access we do not seek. We do not want a backdoor for the government. We do not want a “key” held by the government, and we do not want to collect bulk data on anybody. “
So, as far as can be deduced, the request boils down to Google and Apple deactivating zero-knowledge encryption for the Android and iOS mobile operating systems, respectively.
Comment It is difficult to see how Vance Jr.’s request occupies the ‘rare middle ground’ that he has claimed in his speech. Rather it seems to be a repeat of the same governmental complaint that has been sounded out at measured and carefully-timed intervals ever since Apple – not the innovator in zero knowledge on mobile – brought the subject of local encryption control to the fore with the release of iOS 8 in late summer of 2014. Identical complaints (and equally ‘affable’ solutions in exactly the same mould) have emerged in the last 12-14 months from the U.S. attorney general, FBI director James Comey, the UK’s National Crime Agency chief, Barack Obama and David Cameron, and the former Chief of Britain’s Secret Intelligence Service. Not all of them have an equal understanding of the realities of encryption and the consequences of returning the keys to hackable servers, but they all know one thing – they just want it to stop, or at least to go back to the way it was before.
It was predictable that Paris would be a source of emotional capital for this anti-ZK impetus in government, and one has to applaud Vance for waiting a decent interval before exploiting the misery of Parisians; but if the idea of reasonable privacy for the individual was ethically sound before the Paris attacks, it doesn’t cease to be sound even if worse things follow.